Top Threats to

Cloud Computing
Deep Dive 2025

Top Threats Working Group

About the Deep Dive Report
• Companion to the Top Threats to Cloud Computing 2024 survey report
• Features 8 breach case studies, including:
• Snowflake (2024)
• Football Australia (2024)
• Crowdstrike (2024)
• Toyota (2023)
• DarkBeam (2023)
• Retool/Fortress (2023)
• FTX (2022)
• Microsoft (2022)

• Each includes:
• Threat Modeling + Narrative
• Mapped Top Threats (TT1–TT11)
• CCM 4.1 Controls (Preventive / Detective / Corrective)
• KPIs + Control Effectiveness

• Designed for cloud practitioners, CISOs, architects, risk managers

2
Observed vs. Perceived Threats
• Top 3 Observed in Real-World Cases (Deep Dive):
• TT2 – Identity & Access Management (7/8)
• TT1 – Misconfiguration & Change Control (5/8)
• TT6 – Insecure Software Development (4/8)

• Top 3 Surveyed Concerns (2024):

• TT2 – IAM
• TT1 – Misconfiguration
• TT3 – Insecure APIs
• Insight: IAM and misconfigurations dominate breaches despite being perceived as lower priority in
implementation.
• Note: Only 1 case (Snowflake) aligned with both TT2 (IAM) and TT11 (APT), underscoring attacker
sophistication where fundamental controls were weakest. This gap reflects an ongoing disconnect
between perceived and actual risk impact in cloud deployments.
• Data Point: Over 50% of organizations in the CSA survey rated misconfigurations as low-to-moderate
risk despite it appearing in 5 out of 8 real-world breaches.*

3
Snowflake (2024)
• Industry: Data Platform / SaaS

• Threat Actor: UNC5537 ("Judische/Waifu")

• Vector: Infostealer malware → credential reuse → no MFA → data exfiltration

• Attack Path Summary: Initial access via infostealer logs sold on forums → reused Snowflake credentials → lack of MFA and anomaly detection enabled lateral
access and exfiltration.

• Victims: AT&T, Ticketmaster, Santander

• Top Threats: TT2 (IAM), TT11 (APT)

• Controls Missed: IAM-14, IVS-03, LOG-03, SEF-07

• Notable Detail: Attackers reused credentials from malware campaigns weeks earlier. Many affected tenants lacked anomaly detection or required MFA.

• Impact:
• $2M extorted
• SEC breach disclosures
• Hundreds of downstream customers exposed

• Metrics:
• % of user accounts with MFA disabled
• Access logs without anomaly baselines

• Mitigations:
• Enforce MFA, remove long-lived credentials
• Implement cross-tenant activity correlation
• Review third-party application scopes and tokens

4
Football Australia (2024)
• Industry: Sports / Events

• Threat: Hardcoded AWS keys in public website JS source

• Attack Path Summary: Developer inadvertently commits plaintext IAM credentials → deployed to public web → threat actor identifies via GitHub scanner →
uses keys to list buckets and download sensitive PII

• Data Exposed: Passport scans, match ticketing info, IaC scripts

• Top Threats: TT1, TT2, TT6, TT7, TT10

• Controls Missed: CCC-03, DSP-07, STA-13, LOG-03

• Notable Detail: Keys were static and present for over 700 days — incident was discovered not through internal monitoring but external disclosure by
researchers.

• Impact:
• $370K+ in breach management cost
• Violations of Australian Privacy Act
• Global headlines during national tournament

• Metrics:
• % of secrets managed outside vaults
• # of public endpoints with embedded credentials

• Mitigations:
• Rotate keys, block public buckets
• Secret scanning in CI/CD pipelines
• Ensure logging baseline policies

5
CrowdStrike (2024)
• Industry: Cybersecurity Vendor

• Root Cause: Software update triggered kernel panic via out-of-bounds write

• Attack Path Summary: Faulty Falcon agent update bypassed internal regression tests → rolled out via auto-update to Windows machines globally →
crash loop due to malformed registry write → critical services offline (airlines, hospitals)

• Impact: >$5B in downstream business disruption, flight cancellations, emergency responses

• Top Threats: TT6 (SDLC), TT1, TT4, TT5

• Control Gaps: CCC-02 (QA), TVM-03, SEF-03, A&A-06

• Notable Detail: Update failure originated from a third-party validation bypass. Highlights risk of excessive trust in centralized security vendors. Update
failure originated from a third-party validation bypass. Highlights risk of excessive trust in centralized security vendors.

• Metrics:
• % of secrets managed outside vaults
• # of public endpoints with embedded credentials

• Mitigations:
• Rotate keys, block public buckets
• Secret scanning in CI/CD pipelines
• Ensure logging baseline policies

6
Toyota (2023)
• Industry: Automotive Manufacturing

• Root Cause: Misconfigured access policies and publicly exposed cloud endpoint

• Attack Path Summary: Developer tool logs cloud credentials to local file → file synced to misconfigured Git repo → attacker discovers credential via scan → access leads to
leakage of internal environment details and production metadata

• Top Threats: TT1 (Misconfiguration), TT2 (IAM), TT4 (Cloud Strategy), TT7 (Accidental Disclosure), TT8 (System Vulnerabilities), TT9 (Limited Cloud Visibility), TT10
(Unauthenticated Resource Sharing)

• Control Missed: IAM-06, CCC-03, IVS-01

• Notable Detail: Credential exposure persisted for nearly a decade before detection. Primary visibility gap in static storage + code repositories.

• Impacts:
• Access to internal Toyota environment documentation
• Potential blueprint exposure
• Internal credentials exposed for supplier operations

• Metrics
• % of credentials rotated annually
• of misconfigured GitHub projects
• % of cloud assets with unmonitored exposure

• Mitigations:
• Require infrastructure-as-code access control auditing
• Prevent IAM secrets from leaving trusted development pipeline
• Monitor commits and containers for credentials
• Deploy automated detection for cloud baseline deviations

7
DarkBeam (2023)
• Industry: Threat Intelligence and Digital Risk Protection

• Root Cause: Publicly exposed Elasticsearch instance with no authentication

• Attack Path Summary: Asset indexed in Shodan → accessed without authorization → attacker exfiltrated raw monitoring data from global threat intelligence clients

• Top Threats: TT1 (IAM), TT3 (Misconfiguration), TT7 (Accidental Data Disclosure)

• Control Missed: DCS-03, IAM-12, LOG-05, CCC-03, IAM-04, IVS-03, CCC-07, A&A-06

• Notable Detail: Database included real-time credential monitoring results used by enterprise clients to detect credential leaks — exposed via misconfigured Kibana interface
with no access restrictions

• Impacts:
• Exposure of threat telemetry and credential monitoring data
• Undermining of customer trust in DRP platform
• Regulatory reporting triggered in EU (GDPR exposure risk)

• Metrics
• % of unauthenticated endpoints exposed externally
• % of cloud assets lacking network ACLs
• Time between public indexing and internal detection

• Mitigations:
• Enforce authentication and access controls on all cloud assets
• Implement external asset inventory scanning and firewall rules
• Use monitoring accounts with least privilege and read-only access
• Apply automated detection for baseline deviation in public exposure

8
Retool/Fortress (2023)
• Industry: Fintech + Access Management

• Root Cause: Social engineering + MFA reset abuse via Google Authenticator cloud sync

• Attack Path Summary: Threat actor used smishing and vishing to phish credentials and OTP → added malicious device to employee’s Okta account →
used synced MFA tokens to access admin tooling → reassigned 27 customer accounts → exfiltrated $15M in crypto from Fortress

• Top Threats: TT1 (Misconfiguration), TT2 (IAM), TT5 (Third-Party Resources)

• Control Missed: IAM-04, IAM-05, TVM-07, CCC-04, CCC-06, HRS-11, CCC-07, LOG-05, IAM-08, CCC-09, DSP-17, SEF-03

• Notable Detail: Threat actor exploited Google Authenticator’s new cloud sync feature and Retool’s admin tooling during a migration to Okta

• Impacts:
• $15M in crypto assets stolen from Fortress clients
• Customer API access tokens rotated post-breach
• Blowback to fintech trustworthiness

• Metrics
• % of privileged user actions not logged
• # of MFA resets without secondary checks

• Mitigations:
• % of privileged user actions not logged
• # of MFA resets without secondary verification
• Baseline deviation detection rate for admin device changes

9
FTX (2022)
• Industry: Cryptocurrency Exchange

• Root Cause: SIM swap leading to takeover of 2FA-enabled account

• Attack Path Summary: Criminal attackers reset OTP-protected credentials via SIM swap → accessed FTX wallets and cloud systems → exploited lack of MFA and
transaction controls → stole $400M+ in crypto

• Top Threats: TT2 (IAM), TT6 (Misconfiguration & Change Control), TT8 (System Vulnerabilities)Controls Missed: IAM-06, IAM-14, CCC-04, CCC-06, HRS-11, CCC-07,
IAM-08, IVS-09, LOG-03, A&A-06, CCC-09, SEF-03, CEK-12, BCR-08

• Control Missed: IAM-13, SEF-07, STA-12

• Notable Detail: Attack stemmed from SIM-swapped access and poor internal controls, enabled by OTP-based 2FA and lack of cloud security visibility

• Impacts:
• $400M+ siphoned from FTX wallets
• SEC and DOJ investigations launched
• CEO sentenced; FTX collapsed into bankruptcy

• Metrics
• MTTD: Hours to days; no real-time detection
• % of privileged accounts lacking anomaly detection
• % of training completion and access baseline compliance

• Mitigations:
• Eliminate SMS-based 2FA; enforce modern MFA methods (e.g., passkeys,
hardware keys)
• Regular access reviews and IAM audits
• Detect SIM swaps and anomalous login behavior
• Implement clawback and incident response procedures tailored to crypto
• Establish board-level cybersecurity governance and continuous monitoring
10
Microsoft (2024)
• Industry: Cloud and Identity Provider

• Root Cause: Token signing key compromise via crash dump exposed in development environment

• Attack Path Summary: A legacy, non-production test account lacked MFA and was brute-forced using password spraying. The account had elevated OAuth permissions.
Midnight Blizzard (APT29) accessed token signing keys from a crash dump, forged tokens, and exfiltrated emails from corporate mailboxes across tenants.

• Top Threats: TT2 (IAM), TT3 (Insecure Interfaces & APIs), TT4 (Cloud Security Strategy), TT6 (Insecure Software Development), TT9 (Limited Cloud Visibility)

• Control Missed: IAM-14, LOG-03, CCC-07, DSP-05, IAM-11, SEF-03, A&A-06, DSI-02

• Notable Detail: A single legacy test account enabled creation of additional malicious OAuth apps with full_access_as_app privileges, impacting executive leadership
mailboxes in major enterprise and government orgs.

• Impacts:
• Cross-tenant Azure AD compromise
• Email theft from Microsoft executive teams and customers
• Regulatory scrutiny and reputational impact

• Metrics
• Mean-Time-to-Detect (MTTD): Over 2 months
• % of test accounts without MFA or token expiration
• # of OAuth apps with elevated roles

• Mitigations:
• Enforce MFA across all accounts, including non-prod
• Rotate token signing keys and audit key access
• Detect OAuth misuse via behavioral baselines
• Isolate test environments from production and auto-expire permissions

11
Summary (Threats, Control Failures, and Loss)

Case Year Key Threats Key Control Est. Loss

Failures

Snowflake 2024 TT2, TT11 IAM, DSP, LOG $2M+

Football AU 2024 TT1, TT2, TT6, TT7, CCC, DSP, IAM, $370K+ (est.)
TT10 STA, LOG

CrowdStrike 2024 TT6, TT1, TT4, TT5 QA, TVM, A&A, SEF $5.4B (est.)

Toyota 2023 TT1, TT2, TT9 IAM, CCC, IVS Ongoing risk

DarkBeam 2023 TT1, TT3, TT7 DCS, IAM, LOG Undisclosed

Retool/Fortress 2023 TT2, TT5, TT10 IAM, SEF, STA $15M

FTX 2022 TT2, TT4, TT8 IAM, SEF, IVS $400M+

Microsoft 2024 TT2, TT6, TT8 DSP, IAM, DSI Global impact

12
Strategic Takeaways for Cloud Leaders
• IAM hygiene is essential: MFA, least privilege, regular reviews
• Misconfigurations linger — drift detection is non-optional
• Vendors are not fail-safe: Audit dependencies + build fallback
• Metrics > intentions: monitor effectiveness, not existence
• IR needs to reflect cloud-first reality
• Mindset Shift: Don’t assume config safety — prove it
• Immediate Actions: Validate secrets mgmt, test failover, map TT coverage to controls
• Extra Insight: Failures often stem from security debt — old credentials, legacy
permissions, misaligned default settings, and insufficient post-deploy validation.

13
Metrics & KPI Dashboard
• Suggested Cloud Security KPIs:
• MTTD: Time to detect breach indicators
• MTTR: Time to remediate vulnerabilities
• IAM Coverage: % with MFA + Least Privilege
• Drift Detection: % of baseline deviations auto-detected
• Policy Compliance: % of configs meeting approved standards
• Control Effectiveness Examples:
• # of IAM exceptions
• # of audit failures
• % systems with enforced logging (LOG-03)
• Insight: Prioritize metrics tied to incident impact (e.g., anomaly response time, containment
duration) over raw configuration counts.

14
Acknowledgements
• Top Threats Working Group • Contributors: • CSA Staff:
Co-chairs: • Singa Ambikapathi
• Alex Kaluza
• Sara Farnsworth
• Jon-Michael C. Brook
• Udith Wickramasuriya • Claire Lehnert
• Alexander Stone Getsin • Vatsal Gupta • Stephen Lumpe
• Vic Hargrave • Sathish Holl • Stephen Smith
• Michael Roza • Akanksha Chaturvedi
• Sakshi Mittal • Special Thanks:
• Lead Authors: • Pankaj Kumar • The Top Threats Working Group
• Jon Michael Brook • Patrick Saint would like to thank Sean Heide
• Randall Brooks • Tulias Sahil Dhir for six years of support through
this and multiple previous
• Alexander Stone Getsin • Reviewers:
publications.
• Laura Kenner • Sai Vishnu Vardhan Machapatri
• Lakshmi Ramya Gudimella Ananta Venkata
• Michael Morgenstern
• Rangel Rodrigues
• Michael Roza • Bhavya Jain
• Sherre Stine • Sahil Parmar
• Mark Szalkiewicz • Harry Wan
• Shiva Pati
• Dharnisha Narasappa
• Vishnu Machapatri
• Morgan King
• Rajiv Dewan

15
16